I have a remote client that I'm contracted for adding new features to their training website. Half way through the project, my client notified me that some data was missing for a two month period (I was contracted during this period.) The client in question has very strict security policies. I am not allowed access to their servers or databases. One of their IT guys gave me a copy of their live database, so that's what I've been working with. I'm positive I'm not to blame, because I have no possible way to alter the live database, only my copy. My client is generally understanding, however, I feel that she doesn't understand the situation technically enough to see it wasn't my fault. How do I convey to her (without seeming more guilty) that it was not my fault?

In addition, they want me to recover any data that is in my copy, which partially has the missing data. This is outside the scope of the project. How do I approach my client for addition hours? I feel she thinks it is within the scope because she isn't sure who/what caused the data to disappear.

I value this client, and I hope to build a long term relationship, but I'm worried this situation will put that in jeopardy.

Just FYI - using copies of live databases for development/testing can breach the data protection act (depending on their content).
– IanFeb 5 '15 at 11:30

@Ian That's a separate issue. The non-disclosure I signed explicitly stated what I could, and could not do (Using the database for development purposes was allowed.)
– JoeFeb 5 '15 at 14:27

2

Depends on your location - but they may have been in breach giving you live data of various data laws.
– IanFeb 5 '15 at 14:47

6

While I believe your statement I'm positive I'm not to blame, I would still suggest that you check again if there's ANY way your code/app/files could access the live database. Maybe there's a hidden ORM that's set wrong and you need to know you are in the clear. Do a global search for the live db parameters (IP maybe??).
– JongosiFeb 5 '15 at 20:19

4

It sounds a bit like someone at your client is in desperate need of a scapegoat and hopes to find one outside of their own company.
– PhilippFeb 7 '15 at 16:00

3 Answers
3

It usually helps if you give credit to others, instead of defending yourself. I.E. "Your IT manager, Bob, made sure to isolate me from your production database to make absolutely sure I wouldn't affect your production data, even accidentally."

Then add, "Of course, I'm happy to give you back the original data Bob provided me (You DID archive a pristine original, I hope) for this project. That should help your team recover some of the data. Also, I've become pretty familiar with the data structure while working on this project. If you wanted to engage me at my hourly rate outside of my project, I'm sure I can help."

Don't even give the appearance that you are concerned about any culpability. Give the impression that you understand the impact of the event, and that you are willing to help.

I would stress out more that as long as they just need you to send the file you have, of course you shouldn't bill that (how long would it take you? 10 minutes tops?). A completely different matter is if they expect you to search through that db and sift the data yourself (but why would they want you to do that?!).
– o0'.Feb 4 '15 at 18:41

1

I greatly appreciate this answer. @Lohoris I agree, but in this case the software is a CMS that I specialize in. So it would be tedious, but know the database well. They apparently do not have anyone capable of recovering the data themselves from the old version... sadly.
– JoeFeb 4 '15 at 18:45

16

@Joe, give them the choice: either you can return to them the file they supplied to you (no charge), or you can process the file and give them the results (charged at $ x /hour of work, estimated time y hours work). Hard then for them to say that you should work an unspecified number of extra hours for no pay. They'd really have to show that you're at fault to reasonably be able to demand that - which it seems like they can't, if you're not at at fault. (Even if you were at fault they should have a backup).
– A EFeb 4 '15 at 23:57

1

@AE Right. And the IT department kept only one week of backups. It was a disaster outside of my control. I appreciate the advice.
– JoeFeb 5 '15 at 14:30

2

I understand that this has 141+ votes, but I just have to say it - this is a magnificent answer.
– RaystafarianFeb 6 '15 at 9:44

You need a meeting with the 3 parties involved: you, this manager, and someone in IT that can explain how it is possible you could access these data.

Once that is addressed to everyone's satisfaction, you can offer to create a quote for additional work to transfer the data/fix the problem.

Since they're not even considering restoring one of their own backups to find the missing data, is a sign they don't know what they're doing, so you may want to offer to consult them in even more areas on data security.

Doing this in an actual meeting seems rather aggressive since the OP knows that there's no way for him to be at fault. He'd essentially be calling a meeting with the primary goal of proving the manager wrong. It might be a better approach to establish the OPs innocence via other channels first such as by asking the IT guy to simply confirm that OP had no access to the data. A meeting might then be an option if the manager proves particularly stubborn or dim-witted.
– Lilienthal♦Feb 5 '15 at 10:39

I thought of this, but I don't want to come across as 'guilty.' I'm trying to separate myself from the situation, I think a meeting might give the wrong impression. Good advice, thanks, just a little different for my situation.
– JoeFeb 5 '15 at 14:33

@Lilienthal - If the client thinks having a meeting to discuss a solution is aggressive, they need to get out of the business world because they don't have the stomach.
– user8365Feb 5 '15 at 16:15

@JeffO It depends on how you tactful you go about it. As long as the meeting is about more than just having the IT go "OP is right, manager is wrong" it's fine, but you want to avoid embarrassing the latter. Bad managers and clients are sadly very much a reality in business and it's almost never a good idea to do something you know might (unreasonably) antagonise them. The manager discussed here has already shown that he's not the brightest crayon in the box after all.
– Lilienthal♦Feb 5 '15 at 19:28

@Lilienthal - I hope a non-technical manager is relying on information presented by others with more expertise; otherwise, there is nothing to discuss. The point I'm trying to make is the manager's IT person(s) have given the manager incorrect information, so they don't appear to be at fault. Having both parties discuss this with the manager separately is creating the communication gap in this situation.
– user8365Feb 12 '15 at 23:12

If you want to build a long term relationship, don't let her push you around.

Calmly explain her that you are not to blame, and that her IT team should be able to come to the same conclusion. If they have strict security policies all access to sensitive information is likely to be authenticated and logged. If she only trusts her "gut-feeling" to blame you and won't listen to her IT team, you don't want to work with her.

As for the recovery task, your answer will be the same as for the question "how would you handle any request for work that is outside the scope of your contract" ?

Thanks for your answer. They have strict policies, but not very good logging, as they were unable to find the source of the disappearance. I suspect it was some goof-up internally, but obviously have no way of knowing.
– JoeFeb 5 '15 at 14:35